Re: [websec] Coordinating Frame-Options and CSP UI Safety directives

Adam Barth <> Wed, 18 July 2012 23:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A82ED11E81C3 for <>; Wed, 18 Jul 2012 16:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A6efut3l3ZPY for <>; Wed, 18 Jul 2012 16:16:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5891911E81C2 for <>; Wed, 18 Jul 2012 16:16:44 -0700 (PDT)
Received: by yhq56 with SMTP id 56so2405893yhq.31 for <>; Wed, 18 Jul 2012 16:17:35 -0700 (PDT)
Received: by with SMTP id a66mr2621848yhj.91.1342653455613; Wed, 18 Jul 2012 16:17:35 -0700 (PDT)
Received: from ( []) by with ESMTPS id r25sm709226yhi.13.2012. (version=SSLv3 cipher=OTHER); Wed, 18 Jul 2012 16:17:34 -0700 (PDT)
Received: by obbwc20 with SMTP id wc20so3251796obb.31 for <>; Wed, 18 Jul 2012 16:17:32 -0700 (PDT)
Received: by with SMTP id hz6mr3787913obb.79.1342653452958; Wed, 18 Jul 2012 16:17:32 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 18 Jul 2012 16:17:02 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Adam Barth <>
Date: Wed, 18 Jul 2012 16:17:02 -0700
Message-ID: <>
To: David Ross <>
Content-Type: multipart/alternative; boundary="f46d04447f4b1ebb4804c522dec3"
Cc: "" <>
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Jul 2012 23:16:45 -0000

Here are two reasons we should make Frame-Options into a
Content-Security-Policy directive rather than

1) By centralizing all the policy bits in one string, we gain network
benefits.  For example, in the Chrome extension system, we have a field in
the manifest for specifying a Content Security Policy:

While we could add a new attribute for every different bit of policy, it's
better for developers if there's just one place that contains the security

2) By moving Frame-Options into CSP, we can use the same origin-specifying
machinery that already exists in CSP rather than inventing
yet-another-way-of-specifying origins (e.g., in allow-from in the current
Frame-Options draft).  By doing that, we make all these things work the
same way rather than siloing each off depending on which browser vendor
first decided this bit of policy was interesting.

As far as I can tell, the main reason for not making Frame-Options a CSP
directive is that CSP was Not Invented Here.


On Wed, Jul 11, 2012 at 5:22 PM, David Ross <> wrote:

> Responding to a few of the points in Brad's original mail on this thread...
> My concern is mostly around the degree to which a move to CSP might
> complicate or stall the process.  I'd also prefer not to see additional use
> cases pop up (eg: click fraud prevention) that just were never in scope
> before.
> I think that w.r.t. header bloat, the most sensible approach is to only
> allow one origin to be specified.  CSP by-design facilitates the use of
> multiple origins.  As we've discussed w/Frame-Options, there is a design
> pattern to make the more basic single-origin approach functional.  I would
> hate to see hosts serving up source lists of hundreds of origins, just
> because they can.  I think that is exactly what will happen if we support
> multiple origins.
> With regard to obsolescence of X-FRAME-OPTIONS, it's easy to specify
> exactly what happens in the FRAME-OPTIONS spec.  I don't see that CSP
> inherently improves on that but I may be missing something there.
> The advantage I see of bringing FRAME-OPTIONS into CSP is that it makes
> CSP more comprehensive.  But I suspect there are plenty of other
> header-related security features that aren't defined by CSP (eg: the origin
> header, cookie security).
> Finally, as Brad pointed out in the rosetta stone thread, Frame-Options
> provides the flexibility to perform only a top level origin check as
> opposed to a full ancestor check.  (Specified via the "AllAncestors" flag.)
> David Ross
> -----Original Message-----
> From: [] On Behalf
> Of Hill, Brad
> Sent: Monday, July 09, 2012 5:03 PM
> To: Tobias Gondrom;
> Cc:
> Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety
> directives
> Tobias,
>  I'm happy to move the discussion primarily to websec, and I'll drop the
> cc: to webappsec after this email.  Thanks for the historical
> clarification, as well.
> I'm not terribly concerned about which group does the work, as much as
> arriving at the engineering solution that works best for user agent and
> resource authors, some of whom have expressed preference for moving this
> functionality into CSP.  As both a chair and an individual, I don't have a
> strong preference, but I think there are reasons in favor of each option
> and it is worth re-opening the discussion now that the WebAppSec WG has a
> concrete deliverable under development to address the same general class of
> attacks.
> I'll send out a summary shortly of the similarities and differences
> between the various options currently proposed for some additional context.
> -Brad Hill
> _______________________________________________
> websec mailing list
> _______________________________________________
> websec mailing list